Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Ideal Lattices Damien Stehl´e ENS de Lyon Berkeley, 07/07/2015 Damien Stehl´e Ideal Lattices 07/07/2015 1/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Speeding up linear algebra s s1 s2 ... sm A mn rows ⇒ m blocks . Matrix A is structured by block Structured matrices much less space ⇒ Structured matrices polynomials fast algorithms ≡ ≡ For n 26, m 24, log q 23: 219 vs 213 bits ≈ ≈ 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 3/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Speeding up linear algebra s s1 s2 ... sm A mn rows ⇒ m blocks . Matrix A is structured by block Structured matrices much less space ⇒ Structured matrices polynomials fast algorithms ≡ ≡ For n 26, m 24, log q 23: 219 vs 213 bits ≈ ≈ 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 3/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Structured lattices in crypto: historical perspective [NTRU’96,’98,’01]: Encryption and signature, heuristic security [Micciancio03]: One-way hash function with cyclic lattices [LyMi06,PeRo06]: Ring-SIS, collision-resistant hashing [Lyu08,Lyu12,DDLL13]: Schnorr-like Ring-SIS signature [Gentry09]: Fully homomorphic encryption [SSTX09]: Fast encryption based on ideal lattices [LyPeRe10]: Ring-LWE [GaGeHa13]: was a candidate cryptographic multilinear map Damien Stehl´e Ideal Lattices 07/07/2015 4/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Structured lattices in crypto: historical perspective [NTRU’96,’98,’01]: Encryption and signature, heuristic security [Micciancio03]: One-way hash function with cyclic lattices [LyMi06,PeRo06]: Ring-SIS, collision-resistant hashing [Lyu08,Lyu12,DDLL13]: Schnorr-like Ring-SIS signature [Gentry09]: Fully homomorphic encryption [SSTX09]: Fast encryption based on ideal lattices [LyPeRe10]: Ring-LWE [GaGeHa13]: was a candidate cryptographic multilinear map Damien Stehl´e Ideal Lattices 07/07/2015 4/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Structured lattices in crypto: historical perspective [NTRU’96,’98,’01]: Encryption and signature, heuristic security [Micciancio03]: One-way hash function with cyclic lattices [LyMi06,PeRo06]: Ring-SIS, collision-resistant hashing [Lyu08,Lyu12,DDLL13]: Schnorr-like Ring-SIS signature [Gentry09]: Fully homomorphic encryption [SSTX09]: Fast encryption based on ideal lattices [LyPeRe10]: Ring-LWE [GaGeHa13]: was a candidate cryptographic multilinear map Damien Stehl´e Ideal Lattices 07/07/2015 4/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Roadmap Goals of this talk Introduce Ring-SIS and Ring-LWE Describe the lattices that lurk behind 1- Ideal lattices 2- Ring-SIS 3- Ring-LWE 4- Other lattices from algebraic number theory Damien Stehl´e Ideal Lattices 07/07/2015 5/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Roadmap Goals of this talk Introduce Ring-SIS and Ring-LWE Describe the lattices that lurk behind 1- Ideal lattices 2- Ring-SIS 3- Ring-LWE 4- Other lattices from algebraic number theory Damien Stehl´e Ideal Lattices 07/07/2015 5/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Some algebra Number field Let ζ C algebraic with minimum polynomial P Q[X ]. Let ∈ ∈ n 1 i K := − Q ζ C Pi=0 · ⊆ Q with n = deg P. This is a field, and K ∼= [X ]/P. Ring of integers of K i The ring of integers R = K is the set of yi ζ K that are O · ∈ roots of monic polynomials with integer coefficients.P n 1 i Z[X ]/P = − Z ζ R. ∼ Pi=0 · ⊆ In general, the inclusion is strict. But there always exist (ζi )i such that R = Z ζi . Pi · In general, finding a Z-basis of R from P is expensive Damien Stehl´e Ideal Lattices 07/07/2015 6/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Some algebra Number field Let ζ C algebraic with minimum polynomial P Q[X ]. Let ∈ ∈ n 1 i K := − Q ζ C Pi=0 · ⊆ Q with n = deg P. This is a field, and K ∼= [X ]/P. Ring of integers of K i The ring of integers R = K is the set of yi ζ K that are O · ∈ roots of monic polynomials with integer coefficients.P n 1 i Z[X ]/P = − Z ζ R. ∼ Pi=0 · ⊆ In general, the inclusion is strict. But there always exist (ζi )i such that R = Z ζi . Pi · In general, finding a Z-basis of R from P is expensive Damien Stehl´e Ideal Lattices 07/07/2015 6/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Cyclotomic fields Cyclotomic polynomial m Φm is the unique irreducible polynomial dividing X 1 which is − not dividing any X k 1 for k < m. − 2ikπ Φm(X ) = (X e m ). Qk:gcd(k,m)=1 − m/2 If m is a power of 2, then Φm =1+ X • X m 1 If m is prime, then Φm = X −1 • − Cyclotomic field 2iπ m Q The mth cyclotomic field is K(e ) ∼= [X ]/Φm. Why cyclotomic fields? More is known, and they tend to be simpler to deal with n 1 i E.g.: R = − Z ζ = Z[x]/Φm Pi=0 · ∼ Damien Stehl´e Ideal Lattices 07/07/2015 7/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Cyclotomic fields Cyclotomic polynomial m Φm is the unique irreducible polynomial dividing X 1 which is − not dividing any X k 1 for k < m. − 2ikπ Φm(X ) = (X e m ). Qk:gcd(k,m)=1 − m/2 If m is a power of 2, then Φm =1+ X • X m 1 If m is prime, then Φm = X −1 • − Cyclotomic field 2iπ m Q The mth cyclotomic field is K(e ) ∼= [X ]/Φm. Why cyclotomic fields? More is known, and they tend to be simpler to deal with n 1 i E.g.: R = − Z ζ = Z[x]/Φm Pi=0 · ∼ Damien Stehl´e Ideal Lattices 07/07/2015 7/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Cyclotomic fields Cyclotomic polynomial m Φm is the unique irreducible polynomial dividing X 1 which is − not dividing any X k 1 for k < m. − 2ikπ Φm(X ) = (X e m ). Qk:gcd(k,m)=1 − m/2 If m is a power of 2, then Φm =1+ X • X m 1 If m is prime, then Φm = X −1 • − Cyclotomic field 2iπ m Q The mth cyclotomic field is K(e ) ∼= [X ]/Φm. Why cyclotomic fields? More is known, and they tend to be simpler to deal with n 1 i E.g.: R = − Z ζ = Z[x]/Φm Pi=0 · ∼ Damien Stehl´e Ideal Lattices 07/07/2015 7/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Ideals Ideal of K O I R is an (integral) ideal if a, b I , r R: ⊆ ∀ ∈ ∀ ∈ a + b I and r a I . ∈ · ∈ If I = 0 , then R/I is a finite ring and we let (I )= R/I . 6 { } N | | Principal ideal If g R, then (g)= g R is an ideal, called principal ideal. ∈ · For large n, most ideals are not principal. • Every ideal is of the form i n gi Z for some gi R. • P ≤ · ∈ Every ideal is generated by 2 elements: • I = g R + g R for some g , g R 1 · 2 · 1 2 ∈ Damien Stehl´e Ideal Lattices 07/07/2015 8/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Ideals Ideal of K O I R is an (integral) ideal if a, b I , r R: ⊆ ∀ ∈ ∀ ∈ a + b I and r a I .